Sality
Sality is a virus with keylogging and backdoor capabilities. It may infect executable files by prepending its code to host files.W.HLLP.Sality It is a mix of the common known polymorphic viruses, Conficker (aka Downadup) and the old Nimda. The virus appends itself to every SCF or EXE file run on the machine. It spreads over USB devices, E-Mail or through the Windows Domains and Workgrups. It disables and deletes Antiviruses and delete files whit these strings: *_AVPM. *A2GUARD. *AAVSHIELD. *AVAST *ADVCHK. *AHNSD. *AIRDEFENSE *ALERTSVC *ALOGSERV *ALSVC. *AMON. *ANTI-TROJAN. *AVZ. *ANTIVIR *APVXDWIN. *ARMOR2NET. *ASHAVAST. *ASHDISP. *ASHENHCD. *ASHMAISV. *ASHPOPWZ. *ASHSERV. *ASHSIMPL. *ASHSKPCK. *ASHWEBSV. *ASWUPDSV. *ATCON. *ATUPDATER. *ATWATCH. *AVCIMAN. *AVCONSOL. *AVENGINE. *AVESVC. *AVGAMSVR. *AVGCC. *AVGCC32. *AVGCTRL. *AVGEMC. *AVGFWSRV. *AVGNT. *AVGNTDD *AVGNTMGR *AVGSERV. *AVGUARD. *AVGUPSVC. *AVINITNT. *AVKSERV. *AVKSERVICE. *AVKWCTL. *AVP. *AVP32. *AVPCC. *AVPM. *AVAST *AVSERVER. *AVSCHED32. *AVSYNMGR. *AVWUPD32. *AVWUPSRV. *AVXMONITOR9X. *AVXMONITORNT. *AVXQUAR. *BDMCON. *BDNEWS. *BDSUBMIT. *BDSWITCH. *BLACKD. *BLACKICE. *CAFIX. *CCAPP. *CCEVTMGR. *CCPROXY. *CCSETMGR. *CFIAUDIT. *CLAMTRAY. *CLAMWIN. *CLAW95. *CUREIT *DEFWATCH. *DRVIRUS. *DRWADINS. *DRWEB32W. *DRWEBSCD. *DRWEBUPW. *DWEBLLIO *DWEBIO *ESCANH95. *ESCANHNT. *EWIDOCTRL. *EZANTIVIRUSREGISTRATIONCHECK. *F-AGNT95. *FAMEH32. *FILEMON *FIRESVC. *FIRETRAY. *FIREWALL. *FPAVUPDM. *FRESHCLAM. *EKRN. *FSAV32. *FSAVGUI. *FSBWSYS. *F-SCHED. *FSDFWD. *FSGK32. *FSGK32ST. *FSGUIEXE. *FSMA32. *FSMB32. *FSPEX. *FSSM32. *F-STOPW. *GCASDTSERV. *GCASSERV. *GIANTANTISPYWAREMAIN. *GIANTANTISPYWAREUPDATER. *GUARDGUI. *GUARDNT. *HREGMON. *HRRES. *HSOCKPE. *HUPDATE. *IAMAPP. *IAMSERV. *ICLOAD95. *ICLOADNT. *ICMON. *ICSSUPPNT. *ICSUPP95. *ICSUPPNT. *IFACE. *INETUPD. *INOCIT. *INORPC. *INORT. *INOTASK. *INOUPTNG. *IOMON98. *ISAFE. *ISATRAY. *ISRV95. *ISSVC. *KAV. *KAVMM. *KAVPF. *KAVPFW. *KAVSTART. *KAVSVC. *KAVSVCUI. *KMAILMON. *KPFWSVC. *MCAGENT. *MCMNHDLR. *MCREGWIZ. *MCUPDATE. *MCVSSHLD. *MINILOG. *MYAGTSVC. *MYAGTTRY. *NAVAPSVC. *NAVAPW32. *NAVLU32. *NAVW32. *NEOWATCHLOG. *NEOWATCHTRAY. *NISSERV *NISUM. *NMAIN. *NOD32 *NORMIST. *NOTSTART. *NPAVTRAY. *NPFMNTOR. *NPFMSG. *NPROTECT. *NSCHED32. *NSMDTR. *NSSSERV. *NSSTRAY. *NTRTSCAN. *NTOS. *NTXCONFIG. *NUPGRADE. *NVCOD. *NVCTE. *NVCUT. *NWSERVICE. *OFCPFWSVC. *OUTPOST *OP_MON. *PAVFIRES. *PAVFNSVR. *PAVKRE. *PAVPROT. *PAVPROXY. *PAVPRSRV. *PAVSRV51. *PAVSS. *PCCGUIDE. *PCCIOMON. *PCCNTMON. *PCCPFW. *PCCTLCOM. *PCTAV. *PERSFW. *PERTSK. *PERVAC. *PNMSRV. *POP3TRAP. *POPROXY. *PREVSRV. *PSIMSVC. *QHONLINE. *QHONSVC. *QHWSCSVC. *RAVMON. *RAVTIMER. *AVGNT *AVCENTER. *RFWMAIN. *RTVSCAN. *RTVSCN95. *RULAUNCH. *SALITY *SAVADMINSERVICE. *SAVMAIN. *SAVPROGRESS. *SAVSCAN. *SCANNINGPROCESS. *SDRA64. *SDHELP. *SHSTAT. *SITECLI. *SPBBCSVC. *SPHINX. *SPIDERCPL. *SPIDERML. *SPIDERNT. *SPIDERUI. *SPYBOTSD. *SPYXX. *SS3EDIT. *STOPSIGNAV. *SWAGENT. *SWDOCTOR. *SWNETSUP. *SYMLCSVC. *SYMPROXYSVC. *SYMSPORT. *SYMWSC. *SYNMGR. *TAUMON. *TBMON. *AVAST *TMLISTEN. *TMNTSRV. *TMPFW. *TMPROXY. *TNBUTIL. *TRJSCAN. *UP2DATE. *VBA32ECM. *VBA32IFS. *VBA32LDR. *VBA32PP3. *VBSNTW. *VCRMON. *VPTRAY. *VRFWSVC. *VRMONNT. *VRMONSVC. *VRRW32. *VSECOMR. *VSHWIN32. *VSMON. *VSSERV. *VSSTAT. *WATCHDOG. *WEBSCANX. *WEBTRAP. *WGFE95. *WINAW32. *WINROUTE. *WINSS. *WINSSNOTIFY. *WRCTRL. *XCOMMSVR. *ZAUINST *ZLCLIENT *ZONEALARM Installation Sality.AT drops a device driver as the following: %SystemRoot%\system32\drivers\amsint32.sys The amsint32.sys is detected as Trojan:WinNT/Sality.It creates a service named amsint.Sality.AT communicates with the driver component to restore the system service descriptor table (SSDT). Payloads Prevents Safe Mode by deleting these registry subkeys under: *HKLM\System\CurrentControlSet\Control\SafeBoot *HKCU\System\CurrentControlSet\Control\SafeBoot It prevents Firewall, Antivirus and it reinfects cured files whit SalityKiller. Sality kills processes that have following modules loaded: *DWEBLLIO *DWEBIO In subkey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system the virus disables regedit.exe by setting the value "DisableRegistryTools" to "1" and changes the registry to prevent viewing files with hidden attributes, by setting the value "Hidden" to "2" (in subkey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer). Sality.AT tries to download files from remote servers to the local drive, then decrypts and runs the downloaded files. We have observed the virus to connect to the following servers: *www.klkjwre9fqwieluoi.info *kukutrustnet777888.info *klkjwre77638dfqwieuoi888.info *89.119.67.154 *kukutrustnet777.info *kukutrustnet888.info *kukutrustnet987.info The downloaded viruses are: *TrojanProxy:Win32/Pramro.F *TrojanSpy:Win32/Keatep.B See also * Virut References External links Category:Win32 Category:Win32 virus Category:Virus Category:Backdoor Category:Win32 backdoor Category:Keylogger Category:Polymorphic virus